diff options
author | David P <megver83@parabola.nu> | 2018-04-06 10:23:47 -0300 |
---|---|---|
committer | David P <megver83@parabola.nu> | 2018-04-06 10:25:51 -0300 |
commit | 0acc9a712cb67d6a793eebc2df362e6e95def52e (patch) | |
tree | fe20d749a8d190683b4fb10b9a7cdd4e44f6e704 /pcr/apparmor/apparmor.service | |
parent | 0ffe604ceb554d788db0f212db7d7f52e3cfd84c (diff) | |
download | abslibre-0acc9a712cb67d6a793eebc2df362e6e95def52e.tar.gz abslibre-0acc9a712cb67d6a793eebc2df362e6e95def52e.tar.bz2 abslibre-0acc9a712cb67d6a793eebc2df362e6e95def52e.zip |
upgpkg: pcr/apparmor 2.12.0-1
Diffstat (limited to 'pcr/apparmor/apparmor.service')
-rw-r--r-- | pcr/apparmor/apparmor.service | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/pcr/apparmor/apparmor.service b/pcr/apparmor/apparmor.service index 93f273a0d..2490d1bb8 100644 --- a/pcr/apparmor/apparmor.service +++ b/pcr/apparmor/apparmor.service @@ -1,13 +1,24 @@ [Unit] -Description=AppArmor profiles +Description=Load AppArmor profiles DefaultDependencies=no -After=local-fs.target Before=sysinit.target +After=systemd-journald-audit.socket +After=var.mount var-lib.mount +ConditionSecurity=apparmor [Service] Type=oneshot -ExecStart=/usr/bin/apparmor_load.sh -ExecStop=/usr/bin/apparmor_unload.sh +ExecStart=/usr/lib/apparmor/apparmor.systemd reload +ExecReload=/usr/lib/apparmor/apparmor.systemd reload + +# systemd maps 'restart' to 'stop; start' which means removing AppArmor confinement +# from running processes (and not being able to re-apply it later). +# Upstream systemd developers refused to implement an option that allows overriding +# this behaviour, therefore we have to make ExecStop a no-op to error out on the +# safe side. +# +# If you really want to unload all AppArmor profiles, run aa-teardown +ExecStop=/usr/bin/true RemainAfterExit=yes [Install] |